All posts by Thibault Soyer

With the text of the draft Network and Information Security Directive (“NISD”) still being negotiated between EU institutions, and the national transposition deadline for the Directive likely to be 18 – 24 months from the date of EU adoption, some Member States are pre-empting the new regime with national legislation of their own. Francehasalready implemented the principles enshrined in the draft Directive via its Military Programming Act, which was published at the end of 2013. Overview
France has already implemented many of the principles enshrined in the Draft NISD into national law. The French Government published its strategy on Information systems and defence in February 2011. This included reviewing and where necessary strengthening cyber laws. As a result, the government passed Article 22 of Act n°2013-1168 dated 18 December 2013 (the “Military Programming Act”) which sets out several obligations applicable to vitally important operators (“VIOs”) which are … Continue Reading ››

CNIL’s recent ruling against Orange has wider lessons for all data controllers who rely on processors and sub processors to process personal data. Datonomy’s correspondent in Paris analyses the issues.
Facts
In its deliberation dated 7 August 2014 (but only published on 25 August), the CNIL issued, for the first time, a public warning (i.e no fine has been imposed on Orange, but the sanction consists in the publication of CNIL’s ruling on its website) against a telecoms operator on the basis of personal data breach requirements (pursuant to Article 34 bis of the French data protection act 1978). On 25 April 2014, Orange notified the CNIL of a technical failure in one of its marketing sub-processors, resulting in the leak of personal data (name, surname, birth date, email address and phone number) concerning 1.3 million subscribers. Following this notification, the CNIL investigated Orange and its processors’ premises and found … Continue Reading ››